How to help prevent business email compromise scams

Business email compromise scams (including targeted spear phishing) are one of the most prevalent types of fraud targeting businesses and organizations. Business losses have been increasing each year, and in 2023, Canadian businesses reported losing more than $58 million to spear phishing fraud alone.

What is business email compromise?

Business email compromise occurs when a fraudster sends a message to a victim that appears to come from a known business source. The email makes a seemingly legitimate request, such as sharing financial information or processing a payment. The fraudster is counting on the victim to provide the payment or information, which they then use to commit financial crime.

Anyone can be the target of a business email compromise scam, but certain functions are more vulnerable, including:

• C-suite and executives
• Finance and accounting employees
• HR employees
• Newly hired or entry-level employees

How do business email compromise scams work?

Business email compromise scams vary in length and sophistication, but fraudsters often use these approaches:

1. Identify and research targets

   Fraudsters typically begin by identifying a target within an organization before collecting as much information as possible about that person. Often, scammers use a range of sources – including social media, company websites, news reports, LinkedIn profiles, and more – to find information they can use to impersonate or appear familiar with their victim and their organization.
   

2. Infilitrate or spoof an email account
   

   To establish contact with someone in a business, fraudsters will try to gain unauthorized access to an existing email account or spoof an employee’s email address. They might use subtle variations on legitimate addresses (for example, john.smith@abccompany.com instead of jon.smith@abccompany.com, or jane-doe@123organization.com instead of jane_doe@123organization.com) to trick victims into thinking their accounts are real. The scammers then send spear phishing emails – which are phishing emails that target specific individuals – with the goal of tricking victims into making payments or revealing confidential information.
   

3. Use malware

   Sometimes the goal of a business email compromise scam is to trick a victim into installing malware that can penetrate company networks and give criminals access to key financial information, organizational systems or employee data. They send employees emails with malicious attachments or links that appear legitimate but direct to a website set up by the threat actors.

Example:

You receive an email that appears to come from your boss instructing you to send money to an account that you’re unfamiliar with. Your “boss” says this request is urgent and confidential. Given the time sensitive nature of the request, you send the funds right away. The fraudster may have hacked into your boss’s email, or they may be spoofing the account by using an address that differs by one or two characters. The request may involve information the fraudster has obtained through in-depth research, social engineering or by installing malware. Either way, once you realize you’ve made a mistake, the funds are long gone.

Red flags to look out for:

• If the request involves excessive urgency, persuasion, pressure or manipulation.
• If the request involves an address or a bank account you’ve never used before.
• If the address or bank account details don’t match your existing records.
• If the request does not follow your organization’s established procedures or approval processes.

Tips to help protect your organization

• Develop a fraud training program that teaches your employees to:
  • Slow down and avoid any “urgent” requests. Be mindful of responding too quickly with personal or financial information.
  • Review emails and URLs carefully. Emails and websites can look like they are from trusted companies, but if you review the email and URL carefully, you’ll notice a small difference like one extra letter, a period, or a .net instead of a .com.
  • Identify common social engineering ploys or methods for cyber attacks.
  • Limit what they post on social media, particularly those in sensitive or finance-related roles.
• Establish a callback process for any changes to payments or account numbers, particularly electronic
  instructions.
• Adopt internal controls, such as a secondary approver.
• Create a checklist of what to do in a situation of fraud.
• Carefully establish procedures and controls for vendors with whom you do business.
• Review employee access privileges regularly for suitability and departures.
• Communicate the importance of using work technology only for work.

The bottom line

Business email compromise fraud is among the most financially damaging forms of online crime, and as these scams grow and evolve, identifying and preventing business email compromise can be a daunting challenge for any organization. However, by building awareness of these scams and putting the right processes in place, businesses can help protect themselves from this costly type of fraud.